Kerrey to seek IT security lab, panel

By Heather Harreld, Margret Johnston

Oct 04, 1998

Sen. Bob Kerrey (D-Neb.) plans to introduce a bill next year that would set up an information technology laboratory to help defend against threats to the nation's IT infrastructure and to ensure an exchange between government and industry about security threats.

Kerrey, the ranking minority member on the Senate Select Committee on Intelligence, intends to detail in a speech to the Senate this week a plan to establish a panel of government and industry officials to address the vulnerability of the U.S. information infrastructure.

A draft of Kerrey's speech, obtained by Federal Computer Week, cites recent widely publicized events— including the out-of-control satellite that rendered millions of pagers useless and an attack by teenage hackers in the Middle East on the Pentagon's computer system— as proof that the nation's computer systems that help provide vital services have an Achilles' heel.

Despite the United States' stature as the only superpower, the country is vulnerable to terrorists, criminals and saboteurs who have comparatively little manpower, weaponry or resources, and the threat they present requires a new paradigm, according to Kerrey's draft speech.

"Because we have the most complex multifaceted economy, we are a multifaceted target," according to the draft.

The laboratory and the panel would look at the broad spectrum of IT issues— including encryption, privacy, telecommunications and the Year 2000 problem— as opposed to focusing on facilities, such as power plants, that rely on the technology. The panel and the laboratory would invite the private sector to develop ways to protect civilian and commercial information technologies.

Earlier this year the President's Commission on Critical Infrastructure Protection encouraged voluntary coordination and information sharing between government and the private sector in the development of a defense of critical computer systems. But the commission's efforts uncovered a strong reluctance in the private sector to share information about threats and vulnerabilities.

Kerrey's draft speech stresses the need for government and the private sector to "get past the suspicion" because the infrastructure is vital to the defense of the country and the economy.

"We cannot overstate how important it is to get the government/industry relationships right because without them as a foundation, the value of all other efforts will be significantly diminished," according to the draft.

The panel would include at least four members of Congress, representatives of the legislative caucuses that have an interest and private-sector experts devoted both to the advancement of technology and to the security of our country."

Solve Fed Problems First

David Kennedy, director of research at the International Computer Security Association, said the government does need to work with industry, but it first must solve its own IT security problems.

"We've had a lot of wake-up calls...and no substantial positive action," he said. "The government has no credibility with industry so long as it continues to have problems. When the government can't keep its own circus in the tent, they have a hard time selling themselves to industry."

Winn Schwartau, an information warfare author and consultant, said federal efforts such as those outlined in the Kerrey proposal are just "bits and pieces" and lack the high-level view needed to address security.

"Addressing a bit and a piece at a time is like having a boat out in the water with a thousand leaks and saying, 'Hey, I patched one,' " Schwartau said. "Nobody in Washington has a true understanding...of what is going on here. Nobody in the private sector has provided a vision. There's nobody that's really got it."